Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Poison Ivy RAT Still Giving Users a Rash

The Poison Ivy malware kit is old. It was first seen in 2005, which makes it about 762 years old in Internet years. But that doesn’t mean it’s no longer useful, as evinced by the data collected by Microsoft in a new report on the tool, which shows that it is still in active use and is turning up on thousands of infected PCs.

The Poison Ivy malware kit is old. It was first seen in 2005, which makes it about 762 years old in Internet years. But that doesn’t mean it’s no longer useful, as evinced by the data collected by Microsoft in a new report on the tool, which shows that it is still in active use and is turning up on thousands of infected PCs.

Microsoft said it has removed Poison Ivy from more than 16,000 machines since adding it to the coverage of its Malicious Software Removal Tool in early October. The five most prevalent versions of the malware accounted for more than 8.5 percent of all of the malware removed by the MSRT in that time period, the company said. Microsoft’s malware Protection Center has released a detailed report on Poison Ivy, as well, which lays out the structural details of the tool, its various components, infection methods and how attackers obtain it.

Perhaps best known as the remote access Trojan (RAT) that was used as part of the attack on RSA this spring, Poison Ivy has been around for more than six years, although it’s now out of active development. The tool is openly distributed through a public Web site and it’s also available for sale on underground forums in modified versions that are more difficult to detect. Poison Ivy also was used in the recently exposed Nitro attacks against some organizations in the chemical industry.

In essence, Poison Ivy is a server that sits on an infected machine and waits for commands from the client controlled by a remote attacker. It has a slew of capabilities, and gives even a semi-skilled attacker plenty of options once it’s installed. Using Poison Ivy, an attacker can log keystrokes, download and upload files, inject code into running processes, redirect Internet traffic and a host of other things.

“Poison Ivy enables its operators to create customized remote access trojan servers, which they then distribute to unsuspecting victims through exploits, social engineering, and other attack methods. Once the trojan component is executed on a victim’s machine, full control is handed over to the malware operator through the use of a client that is built into the builder of the malware,” Microsoft said in the report on Poison Ivy.

“The kit generates different types of payloads depending on the needs of the operator. The most typical scenario involves generating a PE binary (a Windows® executable), which then must be run on a target computer. The builder component can also be instructed to output a server as shellcode, which can then be used directly in an exploit.”

The payloads that Poison Ivy can generate come in a variety of flavors, including Windows executables and various types of shellcode.

Unlike some newer attack tools and malware kits, Poison Ivy does not include any kind of infection mechanism. Each individual attacker is responsible for finding methods for infecting his own victims. It often shows up in phishing emails and also is sometimes used as the payload in attacks that exploit known or unknown vulnerabilities in Windows or applications. The last public version of Poison Ivy was released more than three years ago, but it’s possible that the author has still been creating private versions for specific customers since then.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.